With the development of informationalization, the problem of malicious software such as viruses and worms gets worse. Currently, more than 35,000 forms of malicious software have emerged, and more than 40,000,000 computers are infected each year. In order to prevent these attacks, not only secure transmission and data input check need to be solved, but also the defense has to start from the source, that is, each endpoint connected to the network. However, conventional security defense technologies can no longer defend against various malicious attacks.
To solve the above problem, the Trusted Computing Group (TCG) specifically developed a network connection specification—Trusted Network Connect (TNC) based on trusted computing technologies, briefly referred to as TCG-TNC, which includes an open architecture for endpoint integrity and a set of standards for ensuring secure interoperation. The set of standards may protect a network as required by a user to a user-defined level. Substantially, the TCG-TNC is to establish a connection based on integrity of the endpoints. Firstly, a set of internal system running state policies are established for a trusted network. Only endpoints complying with the created network policies can access the network, and devices not complying with the policies will be isolated and located by the network. Due to the use of a trusted platform module (TPM), attacks by root kits may be blocked. The root kits is an attack script, a modified system program, or a whole set of attack scripts and tools, and is adapted to illegally obtain the maximum control authority to a target system.
As shown in FIG. 1, a TCG-TNC architecture in the prior art includes three logical entities, namely, an access requestor (AR), a policy enforcement point (PEP), and a policy decision point (PDP), and may be distributed at any position in a network. The TCG-TNC architecture may be longitudinally divided into a network access layer, an integrity evaluation layer, and an integrity measurement layer. The network access layer includes three components, namely, a network access requestor (NAR), a policy enforcer (PE), and a network access authority (NAA), as well as a network authorization transport protocol interface (IF-T) and a policy enforcement point interface (IF-PEP). The network access layer is adapted to support conventional network connection technologies. The integrity evaluation layer is responsible for evaluating the integrity of all entities requesting for network access. The integrity evaluation layer has two important interfaces, namely, an integrity measurement collector interface (IF-IMC) and an integrity measurement verifier interface (IF-IMV). In addition, the integrity evaluation layer further has a TNC client-server interface (IF-TNCCS) between the TNC client (TNCC) and the TNC server (TNCS). The integrity measurement layer includes two components, namely, an integrity measurement collector (IMC) and an integrity measurement verifier (IMV), which are responsible for collecting and verifying integrity-related information for the AR.
The information transmission process for a complete trusted network connection of the TCG-TNC architecture in the prior art is that: before the network connection is established, the TNCC needs to prepare required platform integrity information and transmit the information to the IMC. In an endpoint with a TPM, platform information required by the network policy is hashed and then stored into platform configuration registers (PCRs), and the TNCS needs to predefine a platform integrity verification requirement and transmit the requirement to the IMV. The specific process is as follows:
(1) The NAR initiates an access request to the PE.
(2) The PE sends an access request description to the NAA.
(3) Upon receiving the access request description of the NAR, the NAA performs a user authentication protocol with the NAR. When the user authentication is successful, the NAA sends the access request and information indicating that the user authentication is successful to the TNCS.
(4) Upon receiving the access request and the information indicating that the user authentication is successful sent by the NAA, the TNCS starts to perform mutual platform credential authentication with the TNCC, for example, verifying an attestation identity key (AIK) of the platform.
(5) When the platform credential authentication is successful, the TNCC indicates to the IMC that a new connection request has occurred and that an integrity handshake needs to be carried out by the TNCC. The IMC returns required platform integrity information through the IF-IMC. The TNCS transmits the platform integrity information to the IMV through the IF-IMV.
(6) During the integrity handshake, the TNCC and the TNCS need to exchange data one or more times until the TNCS is satisfied.
(7) When the TNCS has completed the integrity check handshake with the TNCC, the TNCS sends a recommendation to the NAA to request for granting access. The PDP may still have the option of not granting network access if other security policy requirements have not been met by the AR.
(8) The NAA sends an access decision to the PE, and finally, the PE enforces the decision to control the access of the AR.
Currently, no mature TCG-TNC architecture product is available on the market. Some important technologies for the TCG-TNC architecture are still at the stage of research and specification development, and the TCG-TNC architecture mainly has the following disadvantages:
1. Poor extensibility. Since a secure channel is predefined between the PEP and the PDP, and the PDP may manage a large number of PEPs, the PDP has to configure a large number of secure channels, and thus the management becomes complex, resulting in poor extensibility.
2. Complex key agreement process. Since security protection is required for data in the network access layer, a secure channel needs to be established between the AR and the PDP, that is, session key agreement needs to be implemented between the AR and the PDP. However, since data protection is also required between the AR and the PEP, session key agreement needs to be implemented again between the AR and the PEP, resulting in a complex key agreement process.
3. Low security. A master key that the AR and the PDP agree upon is transmitted to the PEP by the PDP. New points of attack are introduced by the transmission of the key over the network, so that the security is degraded. In addition, as the same master key is used in the two session key agreement, the security of the entire TNC architecture is also degraded.
4. The AR may fail to validate the AIK certificate of the PDP. During the platform credential authentication, the AR and the PDP performs mutual platform credential authentication by using AIK private keys and certificates, and both endpoints need to validate the AIK certificates. If the PDP is an Internet service provider (ISP) of the AR, the AR cannot access the network, that is, cannot validate the AIK certificate of the PDP, until a trusted network connection is established, resulting in insecurity.
5. Platform integrity evaluation is not peer-to-peer. In the TCG-TNC architecture, the PDP performs platform integrity evaluation on the AR, but the AR does not perform platform integrity evaluation on the PDP. If the platform of the PDP is not trusted, connection of the AR to an untrusted device is not secure. However, peer-to-peer trust is necessary in Ad hoc networks.